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Downloadable from 

http://www. tofinosecurity. com/how-stuxnet-spreads 
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The Stuxnet Worm 

• July, 2010: Stuxnet worm was discovered attacking 
Siemens PCS7, S7 PLC and WIN-CC systems 
around the world 

• Infected 100,000 computers 

• Infected at least 22 
manufacturing sites 

• Appears to have impacted 
its possible target, Iran's 
nuclear enrichment 
program 
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Isn't a Nuclear Materials System Air-Gapped? 

• How could Stuxnet migrate from the Internet to an 
isolated industrial control system? 

• Could the next worm do the same to a different 
victim? 
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A Trivial Scenario 

• Scenario: 

1 . Joe finds a USB flash drive in the parking lot and brings it 
into the control room 

2. Joe plugs it into the PLC programming station 

3. PLC programming station infects PLCs 

* Solution: 

1 . Ban all USB flash drives in the control room 

NOT Realistic! 
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Gap Analysis Methodology 

• Goal: Understanding the routes that a directed 
worm takes as it targets an ICS 

• Premise: Start with an industrial site that exactly 
follows the security best practices defined in vendor 
documents 

• Model: Map ways that Stuxnet could make its way 
through the defenses to cause physical damage 
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Core SIMATIC PCS 7 Control System 
Components 

Engineering System 

(ES) Client 










Operator System 
(OS) Client 



Automation System (AS) 
S7PLC 
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PCS 7 High Security Architecture 
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PCS 7 High Security Architecture 
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No Firewall Between 
CSN and PCN 
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Stuxnet Phases 
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Penetration (aka Handoff to Target 
Organization) 

• Stuxnet handoffs were 
highly focused 

• June 2009 to May 2010 
10 infiltration events 

• Handoffs were made to ^, 
at least five separate 
target organizations 
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Sample Graph of Infected Hosts 

Domain E / Infection initiation 2010/05/11 
Courtesy of Symantec Inc 
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Penetration Possibilities 

• Employee given infected USB flash drive 

• Employee given infected project files from contractor 

• Employee is transmitted email with "dropper" 

• Employees laptop infected offsite 



Many possibilities for attackers 
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Core Propagation Methods 

• Via Infected Removable Drives 

• USB flash drives 

• Portable hard disks 

• Via Local Area Networks 

• Administrative and IPC Shares 

• Shared network drives 

• Print spooler services 

• SQL Connections 

• Via infected Siemens project files 

• WinCC files 

• STEP 7 files 




A very simplified view 
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Stuxnet Had Many Paths to its Victim PLCs 
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Red 

highlights 

more direct 

paths which 

bypass 

existing 

security 

controls 
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Some Lessons Learned 

• A modern ICS or SCADA system is highly complex 
and interconnected 

• Multiple potential pathways exist from the outside 
world to the process controllers 

• Assuming an air-gap between ICS and corporate 
networks is unrealistic 

• Focusing security efforts on a few obvious pathways 
(such as USB storage drives or the Enterprise/ICS 
firewall) is a flawed defense 
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Here Come the SCADA Vulnerabilities... 

• March 15: Moscow-based Gleg Ltd. released their 
Agora SCADA+ exploit pack for Canvas, which 
included 1 1 0-days (now at 54 exploits) 

• March 21 : A security researcher from Italy "publically 
disclosed" 34 vulnerabilities on 4 different platforms 

• March 22-23: Vulnerabilities 
disclosed for 2 more ICS platforms 

• April: Vulnerabilities disclosed 
for 5 additional ICS platforms 
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The Life Cycle of a ICS Exploit 

• ICS platforms are becoming an obvious target for 
attacks 

• "Security Researchers" focusing on SCADA/ICS 
because it is easy money/fame (little malicious 
intent) 

• Actors with intent have access to the weapons: 

• Download exploits for free (Italian list) 

• Purchase tool kits (Gleg) 

• Directed where to look for more vulnerabilities 
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Some Lessons Learned 

• SCADA and ICS are now targets of interest 

• Most systems have many exploit opportunities 

• Patching is an issue for many companies 

• Patch deployment requires plant downtime 

• Vendor only patches most current version 

• Patch releases are slow 

• Upgrading to latest version may not be an option 
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What Stuxnet Does to Its Victim 

1 . Locates and infects STEP 7 programming stations 

2. Replaces STEP 7 DLL routines on stations 
(so person viewing logic would not see any 
changes that Stuxnet later makes to the PLC) 

3. Looks for specific models of Siemens PLCs (6ES7- 
315-2and6ES7-417). 

4. Indentifies a victim PLC by looking for special 
configurations and strings 

5. Injects one of three STEP 7 code "payloads" into 
PLC to change process operations 
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Understanding the Payloads 

• Payloads A & B are well understood and are fairly 
specific to the victim. 

• Payload C was disabled by the designers for some 
reason but... 

• It is a far more general purpose attack 



res Security inc. 



TOFINO 



Basic PLC Architecture 
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Stuxnet's Legacy 

• Model for simple, destructive SCADA worms 

• Exploits inherent PLC design issues 

• Applicable to almost all industrial controllers 

• There are no possible "patches" to the PLC 
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Practical Solutions for ICS/SCADA 

• You are NOT going to be able to: 

• Get suppliers to provide vulnerability-free products 

• Patch every ICS system immediately 

• Cut off all pathways in to and out of the ICS 
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Practical Solutions for ICS/SCADA 

• It is possible to: 

• Restrict and manage the data flows into ICS systems 

• Restrict and manage the data flows out of ICS systems 

• Detect unusual behaviors in ICS systems 

• Patch most ICS products within a patch management 
strategy 

• Progressively reduce the probably of attacker success the 
deeper into the ICS/SCADA system they go 

1 Urlliv 


















Look At All Possible Pathways 

• Don't focus on a single pathway such as USB keys 

• Consider all possible infection pathways: 

• Removable Media (CDs, DVDs, USB Drives) 

• File Transfer (Database, PDFs, PLC Project Files) 

• Portable Equipment (Laptops, Storage Units, Config Tools) 

• Internal Network Connections (Business, Lab, QA, Support) 

• External Connections (Support, Contractor, Customer) 

• Wireless (802.1 1 , 802.15, Licensed-band, Cellular, 
Wireless HART, ISA-100a, Bluetooth, USB tethering) 

• Other Interfaces (Serial, Data Highways) 

• Have strategies for discovering/mitigating ALL 
pathways 
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Securing Last-line-of-Defense Critical Systems 
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SCADA/ICS-Appropriate Technologies 

• Deploy ICS-appropriate security technologies to 
raise an alarm when equipment is compromised or 
at risk of compromise 

• Look beyond traditional network layer firewalls, 
towards firewalls that are capable of deep packet 
inspection of key SCADA and ICS protocols 
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Example: Firewalls for Safety Systems 

• A firewall technology may be excellent, but the 
default assumptions determine its usability in an 
environment 

• Safety Integrated Systems (SIS) 
need focused protection beyond the 
IT network firewall 

• Configuration is locked to 
SIS- appropriate rule set 




^3 ' 



Honeywell Modbus 

Read-only Firewall 

for SIS 
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Some Closing Thoughts... 

• Stuxnet has changed the threat landscape 

• ICS/SCADA is the target of sophisticated attacks 

• ICS/SCADA is the focus for vulnerability discovery 

• Industry must accept that the complete prevention of 
ICS infection is probably impossible 

• Improved defense-in-depth strategies for industrial 
control systems are needed urgently 

• Waiting for the next worm may be too late 
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